Analysis
-
max time kernel
133s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
28-01-2024 09:40
Static task
static1
Behavioral task
behavioral1
Sample
2024-01-28_dc73a0184b43be81da178e478ba9fca5_icedid.exe
Resource
win7-20231215-en
General
-
Target
2024-01-28_dc73a0184b43be81da178e478ba9fca5_icedid.exe
-
Size
492KB
-
MD5
dc73a0184b43be81da178e478ba9fca5
-
SHA1
ff7e92e306ffe9f13070b1aabbe4d57abc93ed6d
-
SHA256
d72366e3e0c8f717c97001d8ba5eff5b6e07d8536e13eaa9ab1927fce4c97f26
-
SHA512
9cdbb3f843aa66b193705729fc6645d131605e133615609393d9d926b25a8c7ff51a5e915e39f8583489faac80a44fd4b7074633841ceedccb118ae534db6f2b
-
SSDEEP
12288:Qagi9CKepyNMu8u9cXw3pPeWCehtlw/5U:Fgi9tTNj8uww3cTTU
Malware Config
Extracted
emotet
Epoch2
104.32.141.43:80
112.68.240.21:80
104.236.28.47:8080
46.105.131.87:80
45.55.65.123:8080
120.150.246.241:80
60.231.217.199:8080
74.58.165.170:80
163.139.237.65:80
24.164.79.147:8080
78.24.219.147:8080
178.153.176.124:80
162.241.92.219:8080
92.222.216.44:8080
174.83.116.77:80
108.191.2.72:80
5.196.74.210:8080
47.156.70.145:80
70.127.155.33:80
78.189.180.107:80
209.141.54.221:8080
80.11.158.65:8080
118.69.70.109:80
68.202.51.4:80
95.128.43.213:8080
71.10.114.255:80
24.105.202.216:443
5.32.55.214:80
87.106.136.232:8080
95.213.236.64:8080
98.156.206.153:80
205.185.117.108:8080
91.242.136.103:80
209.137.209.84:443
139.130.241.252:443
108.179.206.219:8080
5.89.175.136:80
181.143.126.170:80
47.47.196.171:80
87.127.197.7:8080
223.197.185.60:80
218.255.173.106:80
173.31.172.11:80
179.62.249.189:80
41.60.200.34:80
200.21.90.5:443
105.247.123.133:8080
5.39.91.110:7080
72.202.237.228:80
217.160.182.191:8080
190.114.244.182:443
24.204.47.87:80
59.103.164.174:80
64.184.36.98:8080
31.31.77.83:443
185.94.252.104:443
88.249.120.205:80
195.244.215.206:80
136.243.205.112:7080
85.105.205.77:8080
179.13.185.19:80
59.148.227.190:80
59.20.65.102:80
210.6.85.121:80
173.79.107.84:80
110.145.77.103:80
190.143.39.231:80
23.92.16.164:8080
104.131.11.150:443
74.208.45.104:8080
149.202.153.252:8080
24.196.13.216:80
101.187.197.33:443
108.6.170.195:80
168.235.67.138:7080
73.234.2.52:80
66.34.201.20:7080
120.151.135.224:80
176.9.43.37:8080
74.130.137.231:80
152.168.28.89:443
190.53.135.159:21
47.153.183.211:80
211.63.71.72:8080
37.187.72.193:8080
71.222.233.135:443
50.91.82.212:443
31.172.240.91:8080
139.130.242.43:80
100.6.23.40:80
60.142.249.243:80
173.21.26.90:80
46.105.131.69:443
91.205.215.66:443
115.65.111.148:443
202.175.121.202:8090
178.20.74.212:80
62.138.26.28:8080
67.215.46.58:80
181.167.53.79:443
50.116.86.205:8080
24.179.13.67:80
71.126.247.90:80
5.88.27.67:8080
47.6.15.79:80
85.152.174.56:80
62.75.187.192:8080
162.255.112.157:443
45.33.49.124:443
105.27.155.182:80
101.187.134.207:8080
181.126.70.117:80
209.97.168.52:8080
190.55.181.54:443
60.250.78.22:443
169.239.182.217:8080
188.0.135.237:80
103.86.49.11:8080
24.249.73.48:80
152.168.248.128:443
98.15.140.226:80
197.232.17.199:7080
190.146.205.227:8080
62.75.141.82:80
78.186.5.109:443
180.92.239.110:8080
104.131.44.150:8080
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 16 IoCs
Processes:
WinTypes.exepid process 1896 WinTypes.exe 1896 WinTypes.exe 1896 WinTypes.exe 1896 WinTypes.exe 1896 WinTypes.exe 1896 WinTypes.exe 1896 WinTypes.exe 1896 WinTypes.exe 1896 WinTypes.exe 1896 WinTypes.exe 1896 WinTypes.exe 1896 WinTypes.exe 1896 WinTypes.exe 1896 WinTypes.exe 1896 WinTypes.exe 1896 WinTypes.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
2024-01-28_dc73a0184b43be81da178e478ba9fca5_icedid.exepid process 4500 2024-01-28_dc73a0184b43be81da178e478ba9fca5_icedid.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
2024-01-28_dc73a0184b43be81da178e478ba9fca5_icedid.exeWinTypes.exepid process 4500 2024-01-28_dc73a0184b43be81da178e478ba9fca5_icedid.exe 4500 2024-01-28_dc73a0184b43be81da178e478ba9fca5_icedid.exe 1896 WinTypes.exe 1896 WinTypes.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
2024-01-28_dc73a0184b43be81da178e478ba9fca5_icedid.exedescription pid process target process PID 4500 wrote to memory of 1896 4500 2024-01-28_dc73a0184b43be81da178e478ba9fca5_icedid.exe WinTypes.exe PID 4500 wrote to memory of 1896 4500 2024-01-28_dc73a0184b43be81da178e478ba9fca5_icedid.exe WinTypes.exe PID 4500 wrote to memory of 1896 4500 2024-01-28_dc73a0184b43be81da178e478ba9fca5_icedid.exe WinTypes.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-01-28_dc73a0184b43be81da178e478ba9fca5_icedid.exe"C:\Users\Admin\AppData\Local\Temp\2024-01-28_dc73a0184b43be81da178e478ba9fca5_icedid.exe"1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WinTypes\WinTypes.exe"C:\Windows\SysWOW64\WinTypes\WinTypes.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx